Many users of Facebook’s WhatsApp messaging software were scrambling to patch the program on Tuesday, in response to news of a flaw that allowed spyware to be installed on mobile phones running Android and iOS.
“This new type of attack is deeply worrying and shows how even the most trusted mobile apps and platforms can be vulnerable,” said Mike Campin, vice president of engineering at Wandera, a mobile security provider based in San Francisco.
“While this attack is based on a previously identified exploit known as Pegasus, the fact that it has been repackaged into a form that can be delivered via a simple WhatsApp call has shocked many,” he continued.
WhatsApp, which is used by 1.5 billion people worldwide, typically is not deployed as an official corporate messaging application, Campin noted, but it is used widely internationally, both on employees’ personal devices and on corporate-issued devices.
That can be problematic for organizations, he said, because once exploited via this new attack, the attacker has complete control and visibility of all data on the phone.
WhatsApp on Monday advised users to patch the software as soon as possible to avoid any potential infections.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the company said in a statement.
Affected versions of the program are as follows:
- WhatsApp for Android prior to v2.19.134
- WhatsApp Business for Android prior to v2.19.44
- WhatsApp for iOS prior to v2.19.51
- WhatsApp Business for iOS prior to v2.19.51
- WhatsApp for Windows Phone prior to v2.18.348
- WhatsApp for Tizen prior to v2.18.15
Once it was made aware of the vulnerability, the company acted relatively quickly to issue a patch. It fixed the app’s infrastructure in 10 days, and it released a secure version of the software last Friday. It also notified law enforcement authorities in the United States and United Kingdom.
“It seems that they acted quickly on fixing the vulnerability and notifying the public and the government,” said Joseph A. Turner, chief Intelligence officer of Proventus Cybersecurity, a computer and network security company in Aliso Viejo, California.
That nimble response may benefit both WhatsApp and its parent, Facebook.
“With the way WhatsApp dealt with this vulnerability, and since it seems that an outside attacker is involved, there are no fingers pointed at Facebook or WhatsApp at this time,” Turner told TechNewsWorld.
“However, we are seeing users move to other messaging apps due to privacy concerns,” he added.
By exploiting the flaw in WhatsApp, an attacker could insert malicious code into a phone by simply placing a WhatsApp call, even if the call went unanswered.
The exploit should be of particular concern for iPhone users, noted Rusty Carter, vice president for product management at Arxan Technologies, an application protection company in San Francisco.
“Apple’s ecosystem has this reputation of safety, and sandboxing applications to prevent one from interfering with another,” he told TechNewsWorld.
“This event blows that apart,” Carter continued, “because here we have a vulnerability in a single app allowing someone to install software that affects the entire device and all the software running on it. This is a scary development.”
Human Rights Lawyer Targeted
The malicious code’s digital footprint is similar to spyware tools marketed by the NSO Group, an Israeli maker of military grade hacking tools, according to security researchers who examined it..
One of the targets of the spyware, according to a New York Times report, was a London lawyer who has been involved in a number of lawsuits involving NSO. The complaints accuse NSO Group of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists.
“NSO’s technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror,” the company said in a statement.
“The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions,” it continued.
“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system,” the company maintained. “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”
“NSO would not or could not use its technology in its own right to target any personal organization, including this individual,” it added.
Better Management of Dangerous Weapons
The WhatsApp hack is an example of military cyberweapons getting out “into the wild” and being used by criminals, much like the WannaCry attack on the UK’s National Health System two years ago, said Mark Skilton, a professor with digital communications expertise at the Warwick Business School in Coventry, UK.
“It is a reminder of how much trust we put in these social media platforms to protect our privacy,” he said. “In this case we might not detect this attack to install spyware on our messages, like a phishing email, until it’s too late.”
It will never be possible for systems to be 100 percent safe, he acknowledged, but at the end of the day, large public platforms like Facebook, Google and Twitter should be more accountable for management of their platforms.
“We need the systems they use to be tested constantly, but the bigger issue here is about the proper management of these types of weapons,” Skilton said.
“Firms like NSO, who reportedly developed the spyware used on WhatsApp, have a responsibility to prevent them from getting into the wrong hands, and used on targets such as Amnesty International and the NHS, where it can have disastrous consequences for vulnerable people,” he continued.
“These new cyber weapons must be classified as very dangerous in the wrong hands and managed as such,” Skilton added.
Move to Block Export License
Meanwhile, Amnesty International on Monday moved to block the export of military grade cyberweapons at their source, through a lawsuit filed in the District Court of Tel Aviv, which aims to revoke NSO’s export license.
In its complaint, Amnesty alleges one of its employees came under attack from NSO software.
“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics,” said Danna Ingleton, deputy director of Amnesty Tech.
“The attack on Amnesty International was the final straw,” she observed.
Israel’s Ministry of Defense has ignored mounting evidence linking NSO to attacks on human rights defenders, Ingleton maintained.
“As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk,” she added.
The legal action is supported by Amnesty International as part of a joint project with the New York University School of Law’s Bernstein Institute for Human Rights and Global Justice Clinic.
“The targeting of human rights defenders for their work, using invasive digital surveillance tools, is not permissible under human rights law,” said Margaret Satterthwaite, the institute’s faculty director.
“Without stronger legal checks, the spyware industry enables governments to trample on the rights to privacy, freedom of opinion and expression,” she added. “The Israeli government needs to revoke NSO Group’s export license and stop it profiting from state-sponsored repression.”